MidnightBSD

Advisories for ruby-lang

CVE-2008-1145 MEDIUM

Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
fedoraproject fedora 7
ruby-lang webrick -
fedoraproject fedora 8
CVE-2008-2376 HIGH

Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
ruby-lang ruby 1.8.6.230
CVE-2008-4310 HIGH

httputils.rb in WEBrick in Ruby 1.8.1 and 1.8.5, as used in Red Hat Enterprise Linux 4 and 5, allows remote attackers to cause a denial of service (CPU consumption) via a crafted HTTP request. NOTE: this issue exists because of an incomplete fix for CVE-2008-3656.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
ruby-lang ruby 1.8.1
ruby-lang ruby 1.8.5
CVE-2009-4492 HIGH

WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ruby-lang webrick 1.3.1
CVE-2009-5147 HIGH

DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
ruby-lang ruby 2.1.2
ruby-lang ruby 2.1.7
ruby-lang ruby 1.9.3
ruby-lang ruby 2.0.0
ruby-lang ruby 2.1.6
ruby-lang ruby 1.8.0
ruby-lang ruby 2.1.0
ruby-lang ruby 2.1.3
ruby-lang ruby 1.9.2
ruby-lang ruby 2.1.4
ruby-lang ruby 1.9.0
ruby-lang ruby 2.1.5
ruby-lang ruby 2.1.1
CVE-2010-2489 HIGH

Buffer overflow in Ruby 1.9.x before 1.9.1-p429 on Windows might allow local users to gain privileges via a crafted ARGF.inplace_mode value that is not properly handled when constructing the filenames of the backup files.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
ruby-lang ruby 1.9.0-2
ruby-lang ruby 1.9.0-0
ruby-lang ruby 1.9.0-20070709
ruby-lang ruby 1.9.0-1
ruby-lang ruby 1.9.0-20060415
ruby-lang ruby 1.9.1
CVE-2011-0188 MEDIUM

The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an "integer truncation issue."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
ruby-lang ruby 1.9.0-2
ruby-lang ruby *
ruby-lang ruby 1.9.0-0
ruby-lang ruby 1.9.0-20070709
ruby-lang ruby 1.9.0-1
ruby-lang ruby 1.9.0-20060415
ruby-lang ruby 1.9.2
ruby-lang ruby 1.9.1
ruby-lang ruby 1.9
ruby-lang ruby 1.9.0
CVE-2011-1004 MEDIUM

The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-59,

Products Affected

Vendor Product Version
ruby-lang ruby 1.8.6
ruby-lang ruby 1.8.7
ruby-lang ruby 1.8.8
ruby-lang ruby 1.9.2
ruby-lang ruby 1.9.3
ruby-lang ruby 1.9.1
CVE-2011-1005 MEDIUM

The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
ruby-lang ruby 1.8.6
ruby-lang ruby 1.8.6-420
ruby-lang ruby 1.8.7-330
ruby-lang ruby 1.8.7
ruby-lang ruby 1.8.8
CVE-2011-2686 MEDIUM

Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. NOTE: this issue exists because of a regression during Ruby 1.8.6 development.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
ruby-lang ruby 1.8.7-248
ruby-lang ruby 1.8.7-330
ruby-lang ruby *
ruby-lang ruby 1.8.7
ruby-lang ruby 1.8.7-160
ruby-lang ruby 1.8.7-299
ruby-lang ruby 1.8.7-173
ruby-lang ruby 1.8.7-p21
ruby-lang ruby 1.8.7-302
ruby-lang ruby 1.8.7-249
CVE-2011-2705 MEDIUM

The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
ruby-lang ruby 1.8.7-248
ruby-lang ruby 1.8.7-330
ruby-lang ruby 1.9.0-20070709
ruby-lang ruby 1.9.0-1
ruby-lang ruby 1.8.7
ruby-lang ruby 1.8.7-160
ruby-lang ruby 1.8.7-299
ruby-lang ruby 1.9.1
ruby-lang ruby 1.8.7-302
ruby-lang ruby 1.8.7-249
ruby-lang ruby 1.9.0-2
ruby-lang ruby 1.9.2-p180
ruby-lang ruby *
ruby-lang ruby 1.9.0-0
ruby-lang ruby 1.9.2-p136
ruby-lang ruby 1.8.7-173
ruby-lang ruby 1.8.7-p21
ruby-lang ruby 1.9.0-20060415
ruby-lang ruby 1.9.2
ruby-lang ruby 1.9
ruby-lang ruby 1.9.0
CVE-2011-3009 MEDIUM

Ruby before 1.8.6-p114 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
ruby-lang ruby 1.8.6
ruby-lang ruby *
CVE-2011-4815 HIGH

Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
ruby-lang ruby 1.8.7-p299
ruby-lang ruby *
ruby-lang ruby 1.8.7-p334
ruby-lang ruby 1.8.7-p302
ruby-lang ruby 1.8.7-p330
CVE-2012-4481 MEDIUM

The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
ruby-lang ruby 1.8.7
CVE-2012-5380 MEDIUM

Untrusted search path vulnerability in the installation functionality in Ruby 1.9.3-p194, when installed in the top-level C:\ directory, might allow local users to gain privileges via a Trojan horse DLL in the C:\Ruby193\bin directory, which may be added to the PATH system environment variable by an administrator, as demonstrated by a Trojan horse wlbsctrl.dll file used by the "IKE and AuthIP IPsec Keying Modules" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview. NOTE: CVE disputes this issue because the unsafe PATH is established only by a separate administrative action that is not a default part of the Ruby installation

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,CWE-22,

Products Affected

Vendor Product Version
ruby-lang ruby 1.9.3
CVE-2013-0256 MEDIUM

darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
ruby-lang ruby 2.0.0
ruby-lang ruby 2.0
ruby-lang rdoc *
ruby-lang ruby 1.9.2
ruby-lang rdoc 4.0.0
ruby-lang ruby 1.9.3
ruby-lang ruby 1.9.1
ruby-lang ruby 1.9
canonical ubuntu_linux 12.10
CVE-2013-1821 MEDIUM

lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
ruby-lang ruby 2.0.0
ruby-lang ruby *
ruby-lang ruby 2.0
ruby-lang ruby 1.9.2
ruby-lang ruby 1.9.3
ruby-lang ruby 1.9.1
ruby-lang ruby 1.9
CVE-2013-1945 LOW

ruby193 uses an insecure LD_LIBRARY_PATH setting.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-829,

Products Affected

Vendor Product Version
ruby-lang ruby193 -
CVE-2013-2065 MEDIUM

(1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
ruby-lang ruby 2.0.0
ruby-lang ruby 2.0
opensuse opensuse 12.2
ruby-lang ruby 1.9.2
ruby-lang ruby 1.9.3
ruby-lang ruby 1.9.1
ruby-lang ruby 1.9
opensuse opensuse 12.3
CVE-2013-4073 MEDIUM

The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
ruby-lang ruby 2.0.0
ruby-lang ruby 1.8.6-26
ruby-lang ruby 1.8.7
ruby-lang ruby 1.9.3
CVE-2013-4164 MEDIUM

Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
ruby-lang ruby 2.0.0
ruby-lang ruby 2.1
ruby-lang ruby 1.8
ruby-lang ruby 1.9.2
ruby-lang ruby 1.9.3
ruby-lang ruby 1.9.1
ruby-lang ruby 1.9
CVE-2013-4287 MEDIUM

Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
rubygems rubygems 1.8.22
rubygems rubygems 1.8.3
ruby-lang ruby 2.0
rubygems rubygems 1.8.20
rubygems rubygems 1.8.14
rubygems rubygems 1.8.2
ruby-lang ruby 1.9.1
rubygems rubygems 1.8.24
rubygems rubygems 1.8.8
ruby-lang ruby 2.0.0
rubygems rubygems 1.8.21
ruby-lang ruby 1.9.2
rubygems rubygems 1.8.17
rubygems rubygems 1.8.19
rubygems rubygems 1.8.5
ruby-lang ruby 1.9
rubygems rubygems 1.8.0
rubygems rubygems 1.8.7
rubygems rubygems 2.0.2
rubygems rubygems 1.8.25
rubygems rubygems 1.8.4
rubygems rubygems 1.8.10
rubygems rubygems 1.8.12
rubygems rubygems 2.0.1
rubygems rubygems 2.0.7
rubygems rubygems 1.8.18
rubygems rubygems 2.1.0
ruby-lang ruby 1.9.3
rubygems rubygems 2.0.0
rubygems rubygems 2.0.6
rubygems rubygems *
rubygems rubygems 1.8.9
rubygems rubygems 2.0.3
redhat enterprise_linux 6.0
rubygems rubygems 2.0.4
rubygems rubygems 2.0.5
rubygems rubygems 1.8.11
rubygems rubygems 1.8.16
rubygems rubygems 1.8.1
rubygems rubygems 1.8.6
rubygems rubygems 1.8.13
rubygems rubygems 1.8.15
CVE-2013-4363 MEDIUM

Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
rubygems rubygems 1.8.22
rubygems rubygems 1.8.20
rubygems rubygems 1.8.14
rubygems rubygems 2.1.1
rubygems rubygems 1.8.2
ruby-lang ruby 1.9.1
ruby-lang ruby 1.9.2
rubygems rubygems 1.8.5
ruby-lang ruby 1.9
rubygems rubygems 1.8.7
rubygems rubygems 2.0.2
rubygems rubygems 1.8.12
rubygems rubygems 2.0.7
rubygems rubygems 1.8.26
rubygems rubygems 2.0.0
rubygems rubygems 1.8.9
rubygems rubygems 2.1.3
rubygems rubygems 2.0.8
rubygems rubygems 2.0.4
rubygems rubygems 1.8.11
rubygems rubygems 2.0.9
rubygems rubygems 1.8.16
rubygems rubygems 1.8.1
rubygems rubygems 1.8.13
rubygems rubygems 1.8.15
rubygems rubygems 1.8.3
ruby-lang ruby 2.0
rubygems rubygems 1.8.24
rubygems rubygems 1.8.8
rubygems rubygems 2.1.4
ruby-lang ruby 2.0.0
rubygems rubygems 1.8.21
rubygems rubygems 1.8.17
rubygems rubygems 1.8.19
rubygems rubygems 2.1.2
rubygems rubygems 1.8.0
rubygems rubygems 1.8.25
rubygems rubygems 1.8.4
rubygems rubygems 1.8.10
rubygems rubygems 2.0.1
rubygems rubygems 1.8.18
rubygems rubygems 2.1.0
ruby-lang ruby 1.9.3
rubygems rubygems 2.0.6
rubygems rubygems *
rubygems rubygems 2.0.3
rubygems rubygems 2.0.5
rubygems rubygems 1.8.6
CVE-2014-2734 MEDIUM

The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations. NOTE: this issue has been disputed by the Ruby OpenSSL team and third parties, who state that the original demonstration PoC contains errors and redundant or unnecessarily-complex code that does not appear to be related to a demonstration of the issue. As of 20140502, CVE is not aware of any public comment by the original researcher

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
ruby-lang ruby 2.0.0
ruby-lang ruby 2.1
ruby-lang ruby 2.0
ruby-lang ruby 2.1.1
CVE-2014-4975 MEDIUM

Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 7.0
ruby-lang ruby 2.1.2
ruby-lang ruby 2.0
debian debian_linux 8.0
canonical ubuntu_linux 14.04
redhat enterprise_linux_server 7.0
canonical ubuntu_linux 14.10
redhat enterprise_linux_hpc_node 7.0
canonical ubuntu_linux 12.04
ruby-lang ruby 2.0.0
redhat enterprise_linux_desktop 7.0
ruby-lang ruby *
ruby-lang ruby 2.1
debian debian_linux 7.0
ruby-lang ruby 2.1.1
CVE-2014-6438 MEDIUM

The URI.decode_www_form_component method in Ruby before 1.9.2-p330 allows remote attackers to cause a denial of service (catastrophic regular expression backtracking, resource consumption, or application crash) via a crafted string.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
ruby-lang ruby *
CVE-2014-8080 MEDIUM

The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
opensuse opensuse 13.1
ruby-lang ruby 2.1.2
redhat enterprise_linux 7.0
canonical ubuntu_linux 14.04
ruby-lang ruby 1.9.3
canonical ubuntu_linux 14.10
canonical ubuntu_linux 12.04
ruby-lang ruby 2.0.0
ruby-lang ruby *
redhat enterprise_linux 6.0
ruby-lang ruby 2.1.3
opensuse opensuse 12.3
ruby-lang ruby 2.1.1
CVE-2014-8090 MEDIUM

The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ruby-lang ruby 2.0.0
ruby-lang ruby 2.1.2
ruby-lang ruby *
ruby-lang ruby 2.1.3
ruby-lang ruby 2.1.4
ruby-lang ruby 1.9.3
ruby-lang ruby 2.1.1
CVE-2015-1855 MEDIUM

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
ruby-lang ruby 2.0.0
ruby-lang ruby *
ruby-lang trunk *
puppet puppet_enterprise *
debian debian_linux 8.0
debian debian_linux 9.0
puppet puppet_agent 1.0.0
debian debian_linux 7.0
CVE-2015-3900 MEDIUM

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-254,

Products Affected

Vendor Product Version
rubygems rubygems 2.0.15
rubygems rubygems 2.2.3
ruby-lang ruby 2.2.0
rubygems rubygems 2.4.2
ruby-lang ruby 1.9.1
rubygems rubygems 2.2.2
rubygems rubygems 2.0.10
ruby-lang ruby 2.0.0
rubygems rubygems 2.4.1
ruby-lang ruby 2.1.3
ruby-lang ruby 1.9.2
ruby-lang ruby 2.1.4
rubygems rubygems 2.0.14
rubygems rubygems 2.2.0
ruby-lang ruby 1.9
rubygems rubygems 2.0.2
ruby-lang ruby 2.1.5
ruby-lang ruby 2.1.2
rubygems rubygems 2.4.5
rubygems rubygems 2.0.11
rubygems rubygems 2.0.1
rubygems rubygems 2.0.7
redhat enterprise_linux 7.0
rubygems rubygems 2.4.6
ruby-lang ruby 1.9.3
rubygems rubygems 2.0.12
rubygems rubygems 2.0.0
rubygems rubygems 2.0.6
rubygems rubygems 2.4.3
rubygems rubygems 2.0.3
rubygems rubygems 2.0.13
rubygems rubygems 2.0.8
ruby-lang ruby 2.1
redhat enterprise_linux 6.0
rubygems rubygems 2.0.4
rubygems rubygems 2.2.1
rubygems rubygems 2.0.5
rubygems rubygems 2.0.9
rubygems rubygems 2.4.0
oracle solaris 11.3
ruby-lang ruby 2.1.1
rubygems rubygems 2.4.4
CVE-2015-7551 MEDIUM

The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. NOTE: this vulnerability exists because of a CVE-2009-5147 regression.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
ruby-lang ruby 2.1.2
ruby-lang ruby 2.2.0
ruby-lang ruby 2.1.7
ruby-lang ruby 2.2.2
ruby-lang ruby 2.2.1
ruby-lang ruby *
ruby-lang ruby 2.1.6
ruby-lang ruby 2.1.0
ruby-lang ruby 2.1.3
ruby-lang ruby 2.1.4
apple mac_os_x *
ruby-lang ruby 2.2.3
ruby-lang ruby 2.1.5
ruby-lang ruby 2.1.1
CVE-2015-9096 MEDIUM

Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-93,

Products Affected

Vendor Product Version
ruby-lang ruby *
CVE-2016-2336 HIGH

Type confusion exists in two methods of Ruby's WIN32OLE class, ole_invoke and ole_query_interface. Attacker passing different type of object than this assumed by developers can cause arbitrary code execution.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ruby-lang ruby 2.3.0
ruby-lang ruby 2.2.2
CVE-2016-2337 HIGH

Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ruby-lang ruby 2.3.0
ruby-lang ruby 2.2.2
CVE-2016-2338

An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
ruby-lang ruby 2.3.0
debian debian_linux 8.0
ruby-lang ruby 2.2.2
CVE-2016-2339 HIGH

An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "initialize" heap buffer "arg_types" allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
ruby-lang ruby 2.3.0
ruby-lang ruby 2.2.2
CVE-2016-7798 MEDIUM

The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-326,

Products Affected

Vendor Product Version
ruby-lang openssl *
debian debian_linux 8.0
debian debian_linux 9.0
CVE-2017-0898 MEDIUM

Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-134,CWE-134,

Products Affected

Vendor Product Version
ruby-lang ruby 2.3.0
ruby-lang ruby 2.2.0
ruby-lang ruby 2.2.2
ruby-lang ruby 2.2.5
ruby-lang ruby 2.3.4
ruby-lang ruby 2.4.1
ruby-lang ruby 2.2.1
ruby-lang ruby 2.3.1
ruby-lang ruby 2.3.2
ruby-lang ruby 2.2.6
ruby-lang ruby 2.3.3
ruby-lang ruby 2.2.7
ruby-lang ruby 2.2.3
ruby-lang ruby 2.2.4
ruby-lang ruby 2.4.0
CVE-2017-10784 HIGH

The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
ruby-lang ruby 2.3.0
ruby-lang ruby 2.4.1
ruby-lang ruby 2.3.1
ruby-lang ruby *
ruby-lang ruby 2.3.2
ruby-lang ruby 2.3.3
ruby-lang ruby 2.4.0
ruby-lang ruby 2.3.4
CVE-2017-11465 HIGH

The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to the parser_tokadd_utf8 function in parse.y. NOTE: this might have security relevance as a bypass of a $SAFE protection mechanism.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,CWE-787,

Products Affected

Vendor Product Version
ruby-lang ruby 2.4.1
CVE-2017-14033 MEDIUM

The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
ruby-lang ruby 2.3.0
ruby-lang ruby 2.2.0
ruby-lang ruby 2.2.2
ruby-lang ruby 2.2.5
ruby-lang ruby 2.3.4
ruby-lang ruby 2.4.1
ruby-lang ruby 2.2.1
ruby-lang ruby 2.3.1
ruby-lang ruby 2.3.2
ruby-lang ruby 2.2.6
ruby-lang ruby 2.3.3
ruby-lang ruby 2.2.7
ruby-lang ruby 2.2.3
ruby-lang ruby 2.2.4
ruby-lang ruby 2.4.0
CVE-2017-14064 HIGH

Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning a pointer to a string of length zero, which is not the length stored in space_len.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
ruby-lang ruby 2.3.0
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.6
canonical ubuntu_linux 16.04
debian debian_linux 8.0
canonical ubuntu_linux 14.04
debian debian_linux 9.0
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server 7.0
ruby-lang ruby 2.3.4
redhat enterprise_linux_server_tus 7.6
ruby-lang ruby 2.4.1
ruby-lang ruby 2.3.1
redhat enterprise_linux_desktop 7.0
ruby-lang ruby *
ruby-lang ruby 2.3.2
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_eus 7.5
canonical ubuntu_linux 17.10
redhat enterprise_linux_server_eus 7.4
ruby-lang ruby 2.3.3
ruby-lang ruby 2.4.0
redhat enterprise_linux_server_tus 7.4
CVE-2017-17405 HIGH

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 7.0
ruby-lang ruby 2.5.0
redhat enterprise_linux_server_aus 7.6
debian debian_linux 8.0
debian debian_linux 9.0
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_desktop 7.0
ruby-lang ruby *
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_eus 7.4
debian debian_linux 7.0
redhat enterprise_linux_server_tus 7.4
CVE-2017-17742 MEDIUM

Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-113,

Products Affected

Vendor Product Version
ruby-lang ruby *
ruby-lang ruby 2.6.0
debian debian_linux 7.0
CVE-2017-17790 HIGH

The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input may be highly unlikely.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-74,

Products Affected

Vendor Product Version
ruby-lang ruby 2.5.0
ruby-lang ruby *
CVE-2017-6181 MEDIUM

The parse_char_class function in regparse.c in the Onigmo (aka Oniguruma-mod) regular expression library, as used in Ruby 2.4.0, allows remote attackers to cause a denial of service (deep recursion and application crash) via a crafted regular expression.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
ruby-lang ruby 2.4.0
CVE-2017-9225 HIGH

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str() occurs during regular expression compilation. Code point 0xFFFFFFFF is not properly handled in unicode_unfold_key(). A malformed regular expression could result in 4 bytes being written off the end of a stack buffer of expand_case_fold_string() during the call to onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer overflow.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
ruby-lang ruby *
oniguruma_project oniguruma 6.2.0
php php *
CVE-2017-9229 MEDIUM

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
ruby-lang ruby *
oniguruma_project oniguruma 6.2.0
php php *
CVE-2018-16395 HIGH

An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
canonical ubuntu_linux 18.10
ruby-lang ruby *
canonical ubuntu_linux 16.04
ruby-lang openssl *
debian debian_linux 8.0
canonical ubuntu_linux 14.04
debian debian_linux 9.0
redhat enterprise_linux 7.4
canonical ubuntu_linux 18.04
ruby-lang ruby 2.6.0
CVE-2018-16396 MEDIUM

An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
canonical ubuntu_linux 18.10
redhat enterprise_linux 7.5
canonical ubuntu_linux 16.04
redhat enterprise_linux 7.6
redhat enterprise_linux 7.0
debian debian_linux 8.0
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 18.04
ruby-lang ruby *
redhat enterprise_linux 6.0
redhat enterprise_linux 7.4
ruby-lang ruby 2.6.0
CVE-2018-6914 MEDIUM

Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
redhat enterprise_linux 7.5
canonical ubuntu_linux 16.04
redhat enterprise_linux 7.6
redhat enterprise_linux 7.0
debian debian_linux 8.0
canonical ubuntu_linux 14.04
debian debian_linux 9.0
ruby-lang ruby *
redhat enterprise_linux 6.0
canonical ubuntu_linux 17.10
redhat enterprise_linux 7.4
ruby-lang ruby 2.6.0
debian debian_linux 7.0
CVE-2018-8777 MEDIUM

In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
redhat enterprise_linux 7.5
canonical ubuntu_linux 16.04
redhat enterprise_linux 7.6
redhat enterprise_linux 7.0
debian debian_linux 8.0
canonical ubuntu_linux 14.04
debian debian_linux 9.0
ruby-lang ruby *
redhat enterprise_linux 6.0
canonical ubuntu_linux 17.10
redhat enterprise_linux 7.4
ruby-lang ruby 2.6.0
debian debian_linux 7.0
CVE-2018-8778 MEDIUM

In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and controlled information disclosure.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-134,

Products Affected

Vendor Product Version
redhat enterprise_linux 7.5
canonical ubuntu_linux 16.04
redhat enterprise_linux 7.6
redhat enterprise_linux 7.0
debian debian_linux 8.0
canonical ubuntu_linux 14.04
debian debian_linux 9.0
ruby-lang ruby *
redhat enterprise_linux 6.0
canonical ubuntu_linux 17.10
redhat enterprise_linux 7.4
ruby-lang ruby 2.6.0
debian debian_linux 7.0
CVE-2018-8779 MEDIUM

In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
ruby-lang ruby *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 17.10
debian debian_linux 8.0
canonical ubuntu_linux 14.04
debian debian_linux 9.0
ruby-lang ruby 2.6.0
debian debian_linux 7.0
CVE-2018-8780 HIGH

In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
ruby-lang ruby *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 17.10
debian debian_linux 8.0
canonical ubuntu_linux 14.04
debian debian_linux 9.0
ruby-lang ruby 2.6.0
debian debian_linux 7.0
CVE-2019-11879 LOW

The WEBrick gem 1.4.2 for Ruby allows directory traversal if the attacker once had local access to create a symlink to a location outside of the web root directory. NOTE: The vendor states that this is analogous to Options FollowSymlinks in the Apache HTTP Server, and therefore it is "not a problem.

CVSS 2.0

Severity: LOW

Problem Type: CWE-22,CWE-59,

Products Affected

Vendor Product Version
ruby-lang webrick 1.4.2
CVE-2019-15845 MEDIUM

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
canonical ubuntu_linux 19.10
ruby-lang ruby *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 19.04
canonical ubuntu_linux 18.04
CVE-2019-16201 HIGH

WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
ruby-lang ruby *
debian debian_linux 8.0
CVE-2019-16254 MEDIUM

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
ruby-lang ruby *
debian debian_linux 8.0
CVE-2019-16255 MEDIUM

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
ruby-lang ruby *
debian debian_linux 8.0
debian debian_linux 9.0
opensuse leap 15.1
oracle graalvm 19.3.0.2
CVE-2020-10933 MEDIUM

An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-908,

Products Affected

Vendor Product Version
fedoraproject fedora 31
ruby-lang ruby *
ruby-lang ruby 2.7.0
debian debian_linux 10.0
CVE-2020-25613 MEDIUM

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,

Products Affected

Vendor Product Version
ruby-lang ruby *
fedoraproject fedora 33
fedoraproject fedora 32
ruby-lang webrick *
CVE-2020-5247 MEDIUM

In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L 2.3 3.7
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-113,CWE-74,

Products Affected

Vendor Product Version
fedoraproject fedora 31
fedoraproject fedora 30
ruby-lang ruby *
puma puma *
ruby-lang ruby 2.7.0
fedoraproject fedora 32
debian debian_linux 9.0
CVE-2020-8130 MEDIUM

There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.5 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
fedoraproject fedora 31
fedoraproject fedora 30
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
debian debian_linux 8.0
ruby-lang rake *
canonical ubuntu_linux 18.04
opensuse leap 15.1
CVE-2021-28965 MEDIUM

The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
fedoraproject fedora 34
ruby-lang ruby *
ruby-lang rexml *
CVE-2021-28966 MEDIUM

In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
ruby-lang ruby *
CVE-2021-31799 MEDIUM

In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
oracle jd_edwards_enterpriseone_tools *
debian debian_linux 9.0
ruby-lang rdoc *
debian debian_linux 10.0
CVE-2021-31810 MEDIUM

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ruby-lang ruby *
oracle jd_edwards_enterpriseone_tools *
debian debian_linux 9.0
CVE-2021-32066 MEDIUM

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-755,

Products Affected

Vendor Product Version
ruby-lang ruby *
oracle jd_edwards_enterpriseone_tools *
CVE-2021-33621

The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.

Products Affected

Vendor Product Version
fedoraproject fedora 37
ruby-lang ruby *
fedoraproject fedora 35
fedoraproject fedora 36
ruby-lang cgi *
CVE-2021-41816 HIGH

CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. This also affects the CGI gem before 0.3.1 for Ruby.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
fedoraproject fedora 34
fedoraproject fedora 35
ruby-lang cgi *
CVE-2021-41817 MEDIUM

Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1333,

Products Affected

Vendor Product Version
suse linux_enterprise 15.0
redhat enterprise_linux 7.0
opensuse leap 15.2
debian debian_linux 9.0
suse linux_enterprise 12.0
opensuse factory -
fedoraproject fedora 34
redhat enterprise_linux 8.0
ruby-lang date *
ruby-lang ruby *
fedoraproject fedora 35
redhat software_collections -
ruby-lang date 3.2.0
debian debian_linux 10.0
debian debian_linux 11.0
CVE-2021-41819 MEDIUM

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-565,CWE-565,

Products Affected

Vendor Product Version
ruby-lang cgi 0.1.0
suse linux_enterprise 11.0
suse linux_enterprise 15.0
ruby-lang cgi 0.2.0
opensuse leap 15.2
debian debian_linux 9.0
suse linux_enterprise 12.0
opensuse factory -
fedoraproject fedora 34
redhat enterprise_linux 8.0
ruby-lang ruby *
ruby-lang cgi 0.3.0
fedoraproject fedora 35
redhat software_collections -
debian debian_linux 10.0
debian debian_linux 11.0
CVE-2022-28738 HIGH

A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-415,

Products Affected

Vendor Product Version
ruby-lang ruby *
CVE-2022-28739 MEDIUM

There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
ruby-lang ruby *
apple macos *
debian debian_linux 9.0
debian debian_linux 10.0
debian debian_linux 11.0
CVE-2023-28755

A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
ruby-lang uri 0.10.1
ruby-lang uri 0.11.0
fedoraproject fedora 37
ruby-lang uri *
ruby-lang uri 0.12.0
fedoraproject fedora 38
fedoraproject fedora 36
debian debian_linux 10.0
CVE-2023-28756

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
fedoraproject fedora 37
ruby-lang ruby *
fedoraproject fedora 38
fedoraproject fedora 36
ruby-lang time 0.1.0
debian debian_linux 10.0
ruby-lang time 0.2.1
CVE-2023-36617

A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.

Products Affected

Vendor Product Version
ruby-lang uri *
CVE-2024-35176

REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
ruby-lang rexml *
CVE-2024-39908

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
netapp bootstrap_os -
ruby-lang rexml *
CVE-2024-41123

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
ruby-lang rexml *
CVE-2024-41946

REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
ruby-lang rexml *
CVE-2024-43398

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
netapp bootstrap_os -
ruby-lang rexml *
CVE-2024-49761

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Products Affected

Vendor Product Version
ruby-lang rexml *
netapp ontap_tools 10
CVE-2025-27219

In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 5.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L 3.9 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
ruby-lang cgi *
ruby-lang cgi 0.3.6
CVE-2025-27220

In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 4.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L 2.2 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
ruby-lang cgi *
ruby-lang cgi 0.3.6
CVE-2025-27221

In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 3.2 LOW CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N 1.4 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
ruby-lang uri *
tal url *
CVE-2025-43857

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5, there is a possibility for denial of service by memory exhaustion when net-imap reads server responses. At any time while the client is connected, a malicious server can send can send a "literal" byte count, which is automatically read by the client's receiver thread. The response reader immediately allocates memory for the number of bytes indicated by the server response. This should not be an issue when securely connecting to trusted IMAP servers that are well-behaved. It can affect insecure connections and buggy, untrusted, or compromised servers (for example, connecting to a user supplied hostname). This issue has been patched in versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
ruby-lang net::imap *
CVE-2025-58767

REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
ruby-lang rexml *
CVE-2025-6442

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.

Products Affected

Vendor Product Version
ruby-lang webrick *
CVE-2026-33210

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.

Products Affected

Vendor Product Version
ruby-lang json *